New computer virus hitting Iran could be more potent than it looks

‘Batchwiper’ seems to be a simple Trojan, says Israeli expert, but so was the malware that apparently prefaced Stuxnet By David Shamah

A new apparently simple computer virus targeting Iran may be more potent than it appears, according to an Israeli security expert.

The Iranian Maher computer security center said earlier this week it had identified a new malware that creates files on desktop and laptop Windows computers that completely wipe out the data on disk drives.

The malware is “simple in design,” the Iranian group said, but it is “efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software,” and thus constitutes a major threat to computers in Iran.

The malware, considered a Trojan by security experts because it sits on a hard drive for a period and acts only at a specific trigger point, is being termed Batchwiper in the security community. Victims affected by the Trojan will have drives D: through I: on their computers completely erased, with no chance of restoring files. Those drives are generally used for data and file storage by most Windows users.

The operating systems found so far to be affected are Windows XP and Windows 7, and the effect has not yet been observed on new Windows 8 systems. However, as most Windows users still rely on the older operating systems, the Trojan has the potential to cause widespread damage. According to security experts, the virus, which was first seen several weeks ago, does its erasing on specific dates, the next one being January 21, 2013.

It isn’t clear how Batchwiper is being spread, although some experts suspect that it is moving via email or USB data drives. The Trojan itself is actually rather simple, a throwback to viruses from a decade and more ago. Once installed on a system it sets up a batch file which opens itself up when the computer’s internal clock hits a specific date. It appears in the process list as a legitimate process, called GrooveMonitor.exe, associated with Microsoft Office 2007. Experts said that Batchwiper is nowhere as sophisticated as recent viruses and Trojans to hit Iran, but for those unfortunate enough to get it, the damage can be significant.

According to security firm Symantec, “the threat has no visible connection to Stuxnet, Flame, or Gauss,” three major viruses that have recently struck Iranian computers that are thought to have been distributed by an organization out to destroy Iran’s computer networks, perhaps with the aim of damaging Iran’s nuclear program.

The fact that it appears to be the type of virus “that could be written by a hacker kid,” said Israeli security expert Shmuel Tamar, would make it appear that Batchwiper is just a run-of-the-mill virus attack.

But looks can be deceiving. “This is Iran, after all, which is in the cyber-gunsights of many groups and governments,” said Tamar, who works for a major database firm in Jerusalem. “Sometimes ‘simple’ attacks like this are a smokescreen, masking something else going on in a system that is doing a lot more damage.”

Case in point: It was a very similar Trojan, called Wiper, that drew attention to a file that was added to Iranian computers that were eventually found to be suffering from Stuxnet. Although analysts thought that Wiper was also a simple virus, it turned out to be much more, and its connection to Stuxnet is still being analyzed. “In the virus world, anything is possible, and everyone is a potential suspect,” said Tamar.